HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

3  Introduction  Overview of HIPAA Security and its Impact  Some Tools for HIPAA Security Compliance  Conclusions

4

5 John Parmigiani  CTGHS Director of HIPAA Compliance Services  HCS Director of Compliance Programs  HIPAA Security Standards Government Chair/ HIPAA Infrastructure Group  Directed development and implementation of security initiatives for HCFA  Security architecture  Security awareness and training program  Systems security policies and procedures  Directed development and implementation of agency- wide information systems policy and standards and information resources management  AMC Workgroup on HIPAA Security and Privacy;Content Committee of CPRI Security and Privacy Toolkit; Editorial Advisory Board of HIPAA Compliance Alert’s HIPAA Answer Book

6

7 Security Goals  Confidentiality  Integrity  Availability

8 Security Framework  Each affected entity must assess own security needs and risks &  Devise, implement, and maintain appropriate security to address business requirements HIPAA

9 Security Standards  What do they mean for covered entities?  Procedures and systems must be updated to ensure that health care data is protected.  Written security policies and procedures must be created and/or reviewed to ensure compliance.  Employees must receive training on those policies and procedures.  Access to data must be controlled through appropriate mechanisms (for example: passwords, automatic tracking of when patient data has been created, modified, or deleted).  Security procedures/systems must be certified (self- certification is acceptable) to meet the minimum standards.

10 Security Compliance Areas:  Training and Awareness  Policy and Procedure Review  System Review  Documentation Review  Contract Review  Infrastructure and Connectivity Review  Access Controls  Authentication  Media Controls

11 Security Compliance Areas…:  Workstation  Emergency Mode Access  Audit Trails  Automatic Removal of Accounts  Event Reporting  Incident Reporting  Sanctions

12 Security Measures In general, security measures can grouped as:  Administrative  Physical  Technical (Data in transit and data at rest)

13 Administrative Procedures Checklist  Contracts with every business partner who processes PHI  Contingency Plans  Written Policies regarding routine and non- routine handling of PHI  Audit logs and reports of system access  Information Systems Security Officer  HR policies re security clearances, sanctions, terminations  Security Training  Security Plans for each system-all phases of SDLC; periodic recertification of requirements  Risk Management Process  Security Incident reporting process

14 Physical Safeguards Checklist  Policies and Procedures re data, software, hardware into and out of facilities  Physical access limitations- equipment, visitors, maintenance personnel  Secure computer room/data center  Workstation policies and procedures  Workstation location to isolate PHI from unauthorized view/use

15 Technical Security ( rest ) Checklist  Authentication Policies and Procedures- one factor/two factor/three factor  Access Controls  Data (Integrity) Verification and Validation Controls  Audit Controls  Emergency Access (Availability) Procedures

16 Technical Security ( data in transit ) Mechanisms Checklist  VPN or Internet; Intranet/Extranet  Closed or Open System  Encryption Capabilities  Alarm features to signal abnormal activity or conditions- event reporting  Audit trails  Determine that the message is intact, authorized senders and recipients, went through unimpeded  Messages that transmission signaling completion and/or operational irregularities

17

18 System Review  Inventory of Systems (updated from Y2K)  Data flows of all patient-identifiable information both internally and externally  Identify system sources and sinks of patient data and associated system vendors/external business partners

19 Documentation Review- “ if it has been documented, it hasn’t been done”!  Policies and Procedures dealing with accessing, collecting, manipulating, disseminating, transmitting, storing, disposing of, and protecting the confidentiality of patient data both internally ( ) and externally  Medical Staff By-laws  Disaster Recovery/Business Continuity Plans

20 Contract Review  Vendor responsibility for enabling HIPAA compliance both initially and with upgrades as the regulations change  Business Associate Contracts/Chain of Trust not only with systems vendors but also with billing agents, transcription services, outsourced IT, etc.  Confidentiality agreements with vendors who must access patient data for system installations and maintenance (pc Anywhere)

21 Infrastructure & Connectivity Review  System Security Plans exist for all applications  Hardware/Software Configuration Management/Change Control Procedures- procedures for installing security patches  Security is one of the mandated requirements of the Systems Development Life Cycle  Network security- firewalls, routers, servers, intrusion detection regularly tested with penetration attempts, , Internet connectivity  E-commerce initiatives involving patient data  PDAs

22 Media Controls  Policy/Procedure for receipt and removal of hardware and software (virus checking, “foreign” software)  Disable print capability, A drive, Read Only  Limit distribution/Internet access  E-fax as an alternative  Encourage individual back-up or store on network drive/ password protect confidential files

23 Workstation* Use * Applies to monitors, fax machines, printers, copy machines  Screen Savers/Automatic Log Off  Secure location to minimize the possibility of unauthorized access to individually identifiable health information  Install covers, anti-glare screens, or enclosures if unable to locate in a controlled access area  Regular updates of anti-virus software

24 Server Checklist  In a locked room?  Connected to UPS?-surge protector?- regular tests conducted?  Protected from environmental hazards?  Are routine backups done?- how often?- where are they stored?- tested regularly?- has the server ever been restored from backup media?  Anti-virus software running on server?  Is access control monitored? etc., etc.

25 Strong Passwords ( guidelines )  At least 6 characters in length (with at least one numeric or special character)  Easy to remember  Difficult to guess (by a hacker)  Don’t use personal data, words found in a dictionary, common abbreviations, team names, pet names, repeat characters  Don’t index your password each time you change it

26 Risk Analysis Process  Assets- hardware, software, data, people  Vulnerabilities- a condition or weakness (or absence of) security procedures, physical controls, technical controls, … (the NIST Handbook)  Threats- something that can potentially harm a system  Risks- caused by people, processes, and practices  Controls- policies, procedures, practices, physical access, media, technical, administrative

27 Threats/Risk Mitigators  Acts of Nature  Some type of natural disaster; tornado, earthquake, flood, etc.- Backup/Disaster Recovery Plans/Business Continuity Plans  Acts of Man  Unintentional - Sending a fax containing confidential information to the wrong fax machine; catching a computer virus- Policies & Procedures  Intentional - Abusing authorized privileges to look at patient information when there is no business “need-to-know”; hackers- Access/Authentication Controls, Audit Trails, Sanctions, Intrusion Detection

28 Termination Procedures  Documentation for ending access to systems when employment ends  Policies and Procedures for changing locks, turning in hardware, software, remote access capability  Removal from system accounts

29 Access/Authorization Controls  Only those with a “need to know”- principle of least privilege  Based on user, role, or context determines level  Must encrypt on Internet or open system  Procedure to obtain consent to use and disclose PHI

30 Sanctions  Must be spelled out  Punishment should fit the crime  Enforcement  Documentation  “Teachable Moment”- (Training Tool)

31 Incident Report and Handling  Can staff identify an unauthorized use of patient information?  Do staff know how to report security incidents?  Will staff report an incident?  Do those investigating security incidents know how to preserve evidence?  Is the procedure enforced? Security Incident Reporting: Categorizing Incident Severity & Resolution

32 Business & Technology Vendors  Billing and Management Services  Data Aggregation Services  Software Vendors  Application Service Providers/Hosting Services  Transcription Services

33 Vendor Questions  What features specifically have you incorporated into your products to support HIPAA Security and Privacy requirements; e.g., session time-outs, access controls, authorizations, backups and recovery, reporting of attempted intrusions, data integrity, audit trails, encryption algorithms, digital signatures, password changes?  Will any of these features have an adverse impact on system performance- response time, throughput, availability?  Are these capabilities easily upgradeable without scrapping the current system as HIPAA matures?; Will I have to pay for them or will they be part of regular maintenance?  Are you participating in any of the national forums like WEDI SNIP, CPRI, NCHICA, etc. that are attempting to identify best practices for HIPAA compliance?

34

35 A Balanced Approach $ Risk  Cost of safeguards vs. the value of the information to protect  Security should not impede care  Your organization’s risk aversion  Due diligence

36 Reasonableness/Common Sense  Administrative Simplification Provisions are aimed at process improvement and saving money  Healthcare providers and payers should not have to go broke becoming HIPAA- compliant  Expect fine-tuning adjustments over the years

37 Due Diligence! Remember:

38 /